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We  apply  new  bilevel  and  trilevel  optimization  models  to  make  critical  infrastructure  more  resilient  against 
terrorist  attacks.  Each  model  features  an  intelligent  attacker  (terrorists)  and  a  defender  (us),  information 
transparency,  and  sequential  actions  by  attacker  and  defender.  We  illustrate  with  examples  of  the  US  Strategic 
Petroleum  Reserve,  the  US  Border  Patrol  at  Yuma,  Arizona,  and  an  electrical  transmission  system.  We  conclude 
by  reporting  insights  gained  from  the  modeling  experience  and  many  "red-team"  exercises.  Each  exercise  gathers 
open-source  data  on  a  real-world  infrastructure  system,  develops  an  appropriate  bilevel  or  trilevel  model,  and 
uses  these  to  identify  vulnerabilities  in  the  system  or  to  plan  an  optimal  defense. 
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Our  national  strategy  for  homeland  security  deems 
these  13  infrastructure  sectors  critical  to  the 
United  States:  agriculture,  banking  and  finance,  chem¬ 
ical  industry,  defense  industrial  base,  emergency  ser¬ 
vices,  energy,  food,  government,  information  and 
telecommunications,  postal  and  shipping,  public 
health,  transportation,  and  water  (Department  of 
Homeland  Security  2002,  p.  30).  In  this  paper,  we 
introduce  methods  to  identify  vulnerabilities  in  these 
critical  sectors  and  plan  defensive  measures.  We  also 
expand  on  conclusions  found  in  a  tutorial  by  Brown 
et  al.  (2005a). 

Any  critical-infrastructure  system  represents  an 
enormous  public  investment.  Even  a  minor  disrup¬ 
tion,  randomly  or  deliberately  caused,  can  degrade 
the  system's  performance  and  inflict  substantial  eco¬ 
nomic  losses.  How  do  we  analyze  the  vulnerability  of 
such  a  system  to  a  set  of  coordinated  terrorist  attacks, 
and  make  informed  proposals  for  reducing  that  vul¬ 
nerability? 

The  techniques  of  system-reliability  analysis  have 
been  proposed  for  gauging  vulnerability  (Garcia  2001, 
pp.  39-48).  For  example,  real-time  reliability  assess¬ 
ment  of  an  electric  power  grid  may  pronounce  the 
system  robust  if  there  is  no  single  point  of  failure  (e.g.. 
Wood  and  Wollenberg  1996,  pp.  410-430).  Fault-tree 
analysis,  as  used  in  transportation  systems,  power 


plants,  and  other  critical  systems  (Roberts  et  al.  1981), 
typically  identifies  minimal  sets  of  events,  or  "cut¬ 
sets,"  that  are  most  likely  to  disrupt  a  system,  and 
pronounces  the  system  robust  if  the  combined  proba¬ 
bility  of  occurrence  is  sufficiently  low. 

However,  infrastructure  that  resists  single  points  of 
random  failure — these  are  single-element  cutsets — or 
whose  cutsets  have  low  occurrence  probabilities,  may 
not  survive  an  intelligently  malicious  attack.  Random 
component  failures  offer  a  poor  paradigm  in  a  world 
with  intelligent  adversaries. 

Vulnerability  analysis  must  consider  our  adver¬ 
sary's  ability  to  collect  information  about  our  infras¬ 
tructure  and  use  this  information  to  identify  weak 
points.  A  captured  al  Qaeda  training  manual  advises: 
"Using  [public  sources]  openly  and  without  resorting 
to  illegal  means,  it  is  possible  to  gather  at  least  80%  of 
information  about  the  enemy"  (Federation  of  Amer¬ 
ican  Scientists  2006,  p.  UK/BM  80).  In  fact,  we  find 
that  public  sources  often  provide  100  percent  of  the 
information  required  to  plan  a  devastating  attack  on 
an  infrastructure  system. 

Al  Qaeda  also  teaches  the  "overthrow  of  godless 
regimes  [by]  gathering  information  about  the  enemy, 
the  land,  the  installations,  and  the  neighbors . . .  blasting 
and  destroying  the  places  of  amusement, . . .  em¬ 
bassies,  . .  .vital  economic  centers, . .  .bridges  leading 
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into  and  out  of  cities, ..."  (Federation  of  American 
Scientists  2006,  p.  UK/BM  12).  A1  Qaeda  may  not 
possess  perfect  models  of  our  infrastructure,  but  its 
operatives  are  instructed  to  gather  relevant  infor¬ 
mation.  That  information  can  then  be  used  to  plan 
the  most  damaging  attacks  it  can  implement.  Con¬ 
sequently,  prudence  dictates  that  we  assume  (1)  that 
al  Qaeda,  or  any  other  terrorist  organization,  will  use 
its  limited  offensive  resources  to  maximize  damage  to 
the  infrastructure  it  decides  to  attack;  and  (2)  that  the 
terrorist  organization  has  all  the  information  neces¬ 
sary  to  accomplish  its  mission. 

How  would  the  military  assess  vulnerability  when 
faced  with  an  intelligent  enemy?  First,  it  would 
assume  that  our  infrastructure  will  be  attacked  and 
would  take  steps  to  protect  it,  i.e.,  harden  the  infras¬ 
tructure  or  improve  its  active  defenses.  The  budget 
for  this  purpose  will  always  be  limited,  but  often  not 
pre-specified.  The  military  typically  draws  up  a  prior¬ 
itized  list  of  "defended  assets"  in  need  of  protection, 
along  with  a  list  of  potential  protective  measures,  and 
presents  these  to  policy  makers.  The  latter  parties 
make  the  final  decisions  after  balancing  costs,  effec¬ 
tiveness,  and  intangibles,  and  after  determining  the 
budget.  The  United  States  Army  (Department  of  the 
Army  2002a,  b)  applies  four  doctrinal  components  to 
evaluate  and  prioritize  its  defended  assets  (as  well 
as  those  of  its  enemies):  criticality  (how  essential  is 
the  asset?),  vulnerability  (how  susceptible  is  the  asset 
to  surveillance  or  attack?),  reconstitutability  (how  hard 
will  it  be  to  recover  from  inflicted  damage?),  and 
threat  (how  probable  is  an  attack  on  this  asset?). 

However,  a  prioritized  list  of  defended  assets  has 
a  serious  flaw  for  our  applications.  Such  a  list  creates 
a  "preferred  set"  of  n  + 1  assets  by  adding  one  asset  to 
the  preferred  set  of  size  n.  But,  we  know  that  an  opti¬ 
mal  set  of  size  n  and  an  optimal  set  of  size  n  +  1  may 
have  nothing  in  common.  For  instance,  a  community 
with  funds  to  build  a  new  facility  for  one  bomb- 
disposal  truck  would  select  the  most  central  location. 
However,  if  the  community  has  money  available  for 
two  facilities  and  two  trucks,  it  would  select  two 
completely  different  facility  locations,  based  on  their 
ability  to  provide  better  average  response  time. 

There  are  other  differences  that  distinguish  mili¬ 
tary  and  civilian  infrastructure  vulnerability.  Military 
infrastructure  is  usually  "hard"  and  well  protected. 


while  most  civilian  infrastructure  in  the  United  States 
is  "soft,"  i.e.,  open  to  surveillance  and  attack,  from 
an  enemy  that  could  be  anywhere.  Military  planners 
assess  probabilities  of  winning  and  losing,  while  civil¬ 
ians  assume  that  they  will  eventually  recover  from  an 
attack,  no  matter  how  damaging.  Military  planners 
also  have  extensive  experience  in  assessing  the  likeli¬ 
hood  that  an  enemy  will  choose  a  particular  plan  of 
attack  ("course  of  action").  As  civilian  security  plan¬ 
ners,  we  are  new  to  such  analysis;  we  must  learn 
to  plan  for  what  is  possible,  rather  than  what  sub¬ 
jective  assessments  indicate  is  likely.  We  need  a  bet¬ 
ter  method  to  assess  the  vulnerability  of  civilian 
infrastructure.  Worst-case  analysis  is  critical. 

We  apply  attacker-defender  models,  and  other  related 
bilevel  and  trilevel  optimization  models,  to  these 
problems.  These  models  do  not  normally  attempt  to 
measure  directly  the  importance  or  value  of  an  indi¬ 
vidual  system  component,  i.e.,  "asset."  They  model  a 
complete  infrastructure  system  and  its  value  to  soci¬ 
ety,  including  how  losses  of  the  system's  assets  reduce 
that  value,  or  how  improvements  in  the  system  mit¬ 
igate  lost  value.  The  exact  meaning  of  value  will 
depend  on  the  system  being  modeled.  It  may  mean 
economic  output,  production  of  a  commodity,  or  time 
to  detection  of  a  toxic  substance.  Furthermore,  (oper¬ 
ating)  cost,  the  converse  of  value,  will  often  be  a  more 
convenient  measure  of  how  well  a  system  functions. 
(The  attacker-defender  model  is  often  called  an  "inter¬ 
diction  model"  in  the  literature,  e.g..  Golden  1978, 
Wood  1993.) 

An  attacker-defender  model  does  address  critical¬ 
ity,  vulnerability,  reconstitutability,  and  threat,  but  in 
a  very  different  way  than  military  planners  might. 
We  include  reconstitutability,  when  appropriate,  by 
representing  the  repair  of  damaged  assets  over  time, 
and  how  repaired  assets  contribute  to  improved 
system  value  (Salmeron  et  al.  2004b).  We  assume 
that  each  system  component  is  vulnerable  to  attack 
unless  it  is  specifically  hardened  or  defended.  We 
address  "threat"  by  positing  different  levels  of  offen¬ 
sive  resources  for  the  terrorists.  At  the  end  of  an 
analysis,  we  can  determine  the  criticality  of  a  group 
of  assets,  i.e.,  the  value  of  protecting  or  hardening 
a  given  set  of  assets.  We  can  also  determine  the  value 
of  adding  redundant  assets  to  improve  the  system's 
robustness. 
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In  essence,  an  attacker-defender  model  becomes  a  sub¬ 
model  in  a  formal  model  or  informal  procedure  for 
identifying  a  near-optimal,  budget-limited  defense 
plan.  The  formal  model  is  a  defender-attacker-defender 
model.  However,  a  simpler  defender-attacker  model  may 
suffice  for  this  purpose  if  the  contribution  of  a  single 
asset  to  system  performance  is  easy  to  define.  We 
cover  each  of  these  three  model  types  in  this  paper. 

We  present  the  basic  models  in  the  next  three 
sections.  If  the  mathematics  is  not  of  interest,  the 
reader  may  skim  those  sections  and  continue  with 
the  "Three  Examples"  and  "Supply  Chains  and  Other 
Systems"  sections  to  learn  what  we  have  discovered 
and  how  we  generalize  our  findings.  Brown  et  al. 
(2005a)  provide  additional  examples. 

Attacker-Defender  Models 

The  core  of  an  attacker-defender  model  is  an  opti¬ 
mization  model  of  an  infrastructure  system  whose 
objective  represents  the  system's  value  or  cost  to 
the  defender,  i.e.,  our  society,  while  it  operates.  For 
instance,  the  maximum  throughput  of  a  pipeline 
network  could  measure  that  system's  value,  while 
power-generation  costs,  plus  economic  losses  result¬ 
ing  from  unmet  demand,  could  measure  the  cost  of 
operating  an  electric  power  grid.  We  use  cost  rather 
than  value  in  the  following  model. 

We  assume  that  the  defender  operates  a  system  to 
minimize  cost,  which  is  represented  by  a  linear  func¬ 
tion.  The  defender's  problem  is 

(D)  mincy,  (1) 

ysY 

where  c  defines  a  vector  of  component  operating 
costs  (and/or  penalties),  y  represents  system  operat¬ 
ing  decisions  or  activities,  and  ye  Y  represents  con¬ 
straints  on  that  operation  and  the  requirements  to  be 
met.  Of  course,  by  appropriately  defining  variables 
and  constraints,  we  can  also  represent  or  approximate 
certain  nonlinear  cost  functions  in  this  model. 

We  note  that  "defender"  is  actually  a  misnomer  in 
these  models  because  the  models  do  not  directly  rep¬ 
resent  defensive  actions.  "System  user"  or  "system 
operator"  would  be  more  accurate,  but  awkward. 

The  model  posits  that  an  attacker  wishes  to  max¬ 
imize  the  defender's  optimal  (minimum)  operating 


cost,  and  will  do  so  by  restricting  the  defender's  activ¬ 
ities  y.  Let  xk  =  1  if  the  attacker  attacks  the  defender's 
kth  asset,  let  xk  =  0  otherwise,  and  let  x  denote  the 
vector  of  attack  decisions,  i.e.,  an  attack  plan.  For  sim¬ 
plicity,  we  assume  that  if  xk  =  1,  asset  k  is  disabled 
and  i /■  =  0  for  any  activity  j  that  requires  that  asset. 
That  is,  attack  of  an  asset  stops  the  defender  from  car¬ 
rying  on  activities  that  depend  directly  on  that  asset. 

Binary  restrictions  on  x,  and  some  reasonable  set 
of  constraints  on  the  attacker's  resources,  are  repre¬ 
sented  by  x  e  X.  Let  Y (x)  represent  the  defender's  set 
of  feasible  activities,  restricted  by  the  attack  plan  x. 
Thus,  the  attacker  solves  this  planning  problem: 

(AD)  max  min  cy.  (2) 

xgX  yeY(x) 

AD  is  a  type  of  bilevel  program  (e.g.,  Moore  and 
Bard  1990),  and  a  bilevel  program  is  a  type  of  Stack- 
elberg  game  (von  Stackelberg  1952).  The  terms  leader 
and  follower  in  a  Stackelberg  game  represent  our 
attacker  and  defender,  respectively.  The  key  assump¬ 
tions  that  make  a  Stackelberg  game  appropriate  here 
are  (1)  the  attacker's  and  defender's  actions  are 
sequential,  (2)  the  attacker  has  a  perfect  model  of  how 
the  defender  will  (or  should)  optimally  operate  the 
system,  even  after  an  attack,  and  (3)  the  attacker  will 
manipulate  that  system  to  his  best  advantage.  The  lat¬ 
ter  two  assumptions  are  strong  but  prudent  for  us: 
The  defender  can  suffer  no  worse  should  the  attacker 
possess  a  less-than-perfect  model  of  the  defender's 
system,  or  fail  to  implement  a  perfect  attack  plan.  A 
defensive  plan  that  hardens  or  protects  the  defender's 
activities  will  be  prudently  conservative  if  AD  is  used 
to  evaluate  the  plan's  effectiveness. 

One  can  devise  many  generalizations  of  AD,  in¬ 
cluding  attacks  that  increase  costs  rather  than  limit 
activities,  or  attacks  that  reduce  the  capacity  of  an 
asset  by  less  than  100  percent.  We  will  cover  some  of 
these  generalizations  after  establishing  basic  results. 

Naturally,  the  defender  may  also  lack  perfect  know¬ 
ledge  of  the  attacker's  capabilities.  That  is,  the 
defender  may  be  guessing  at  the  attack-resource  con¬ 
straints  representing  part  of  X.  In  this  case,  the 
defender  will  need  to  solve  the  model  over  a  range 
of  attack-resource  levels,  and  use  these  results,  along 
with  some  common  sense,  to  determine  system 
improvements. 
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For  many  situations,  a  linear  program  (LP)  will 
provide  an  adequate  model  of  the  defender's  sys¬ 
tem  and  its  operations.  For  instance,  the  electric 
power  industry  commonly  employs  linearized  "opti¬ 
mal  power-flow  models"  for  security  analysis  (Wood 
and  Wollenberg  1996,  p.  419).  Therefore,  we  can 
express  the  optimal  operation  of  the  defender's  sys¬ 
tem  as 

(DO)  min  cy  (3) 

y>0 

s.t.  Ay  =  b,  (4) 

Fy<u.  (5) 

Constraints  (4)  correspond  to  general  system-oper¬ 
ations  constraints  (e.g.,  balance  of  current  at  junctions 
in  an  electric  power  network),  and  constraints  (5) 
represent  capacity  limitations  for  asset  k  e  K  (e.g., 
maximum  capacity,  in  megawatts,  of  the  fcth  power 
line).  Assets  can  include  power  lines,  pipelines,  roads, 
ports,  communications  hubs,  and  so  forth. 

We  assume  that  an  attack  on  asset  k  causes  the  loss 
of  all  its  capacity  uk.  Thus,  the  full  AD  model  is 

(ADO)  max  min  cy  (6) 

xgX  y>0 

s.t.  Ay  =  b,  (7) 

Fy  <  U(1  —  x),  (8) 

where  It  =  diag(u).  The  inner  LP  must  be  constructed 

to  be  feasible  for  any  x  because  we  expect  the  sys¬ 
tem  to  operate  in  some  degraded  fashion  after  any 
conceivable  attack.  This  may  require  the  use  of  invul¬ 
nerable  activities,  i.e.,  extra  variables  i/;  that  do  not 
appear  in  constraints.  Also,  if  some  amount  of  capac¬ 
ity  u0  is  invulnerable  to  attack,  constraints  (8)  become 
Fy  <u0+  Lt(l-x). 

A  natural  approach  to  solving  ADO  begins  by  refor¬ 
mulating  it:  Fix  x  temporarily;  take  the  dual  of  the 
inner  linear  program;  and  then  release  x  (Wood  1993). 
Unfortunately,  this  yields  an  unappealing,  nonlinear, 
mixed-integer  program.  That  model  can  be  linearized, 
but  there  is  a  simpler  method:  Change  the  paradigm 
of  "capacity  attack"  to  "cost  attack,"  and  then  take 
the  dual  of  the  inner  problem  (Cormican  et  al.  1998). 
Specifically,  let  — p  strictly  bound  the  dual  variables 
associated  with  Fy  <  U  (1  —  x)  over  all  possible  values 
of  x  e  X.  Thus,  pk  bounds  the  value  to  the  defender 


of  a  unit  of  asset  k's  capacity.  Because  ADO  is  feasi¬ 
ble  even  when  asset  k  has  been  disabled  and  has  no 
capacity,  it  must  be  possible  to  penalize  use  of  that 
capacity  to  make  any  use  "uneconomical":  pk  is  such 
a  penalty.  ADO  is  thus  equivalent  to 

(ADI)  max  min  (c  +  xrPF)y  [dual  variables] 

xeX  y>0 

s.t.  Ay  =  b  [0], 

Fy<u  m, 

where  P  —  diag(p),  and  "dual  variables"  denotes  dual 
variables  for  the  inner  LP  given  fixed  x.  (Note  that 
nonstrict  bounds  p  are  actually  valid  for  optimizing  x; 
see  Cormican  et  al.  1998.) 

After  taking  the  dual  of  the  inner  minimization, 
a  mixed-integer  linear  program  (MILP)  results: 

(AD1-MILP)  max  br0  +  uP 

0<O,  6,  x 

s.t.  At0  +  Fr|i  —  FtPx<  c, 
xeX. 

We  can  solve  this  model  directly  or  by  using 
Benders'  decomposition  (Benders  1962).  The  standard 
Benders  method  for  integer  x  begins  by  taking  the 
dual  of  AD1-MILP  with  x  fixed,  which  causes  ADI 
to  reappear.  Thus,  the  Benders  decomposition  applies 
naturally  to  these  problems. 

To  illustrate,  consider  the  following  simplified 
model  of  a  crude-oil  pipeline  network: 

Data 

A  node-arc  incidence  matrix  for  the  network, 
b  vector  of  supplies  and  demands:  b,  >  0  defines  a 
supply  of  bj  million  barrels  per  day  (mmbbl  /  day) 
at  node  i,  if  <  0  defines  a  demand  of  bt 
mmbbl  /  day  at  i,  and  bt  =  0  implies  that  i  is  a 
transshipment  node  (pumping  station),  assumed 
invulnerable  to  attack. 

c-]  vector  of  shipping  costs  by  arc,  i.e.,  pipeline  seg¬ 
ment  ($/ mmbbl /day). 

c2  vector  of  penalties  for  not  taking  available  supply 
("take-or-pay  penalties")  ($/ mmbbl /day). 
c3  vector  of  penalties  for  unmet  demand  (e.g.,  spot- 
market  cost)  ($/ mmbbl /day). 
f2  incomplete  diagonal  matrix  with  a  one  for  each 
supply  node,  but  with  zeroes  elsewhere. 

I3  incomplete  diagonal  matrix  with  a  one  for  each 
demand  node,  but  zeroes  elsewhere. 
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Variables 

yx  flows  on  pipelines  (mmbbl/ day). 
y2  unused  supply  (mmbbl/ day). 
y3  unmet  demand  (mmbbl /day). 

Formulation 


(D0P)  min  Cjyj  +  c2y2  +  c3y3  (9) 

y>0 

s.t.  Ay1-72y2  +  f3y3  =  b,  (10) 

fyi<u.  (11) 


Constraints  (10)  are  "elastic  flow-balance  con¬ 
straints"  that  allow  unused  supply  and  unmet  de¬ 
mand;  constraints  (11)  represent  pipeline  capacities. 
For  simplicity,  we  will  (1)  ignore  the  oil's  purchase 
price,  (2)  assume  that  c2  =  0,  c,  >  0,  and  c3  =  (c3, 
c3, ,  c3),  and  (3)  assume  that  only  pipeline  segments 
can  be  attacked. 

Now,  we  proceed  directly  to  create  a  "cost-attack" 
variant  of  the  attacker-defender  model  in  the  form 
of  ADI.  Let  x  be  defined  as  in  ADI,  with  "asset  k" 
now  meaning  "pipeline  segment  k."  We  suppose  that 
intelligence  reports  indicate  that  terrorists  can  form 
at  most  T  squads  to  carry  out  a  coordinated  attack, 
so  that 


x  e  X  = 


xe|0, 1} 


\k\ 


ksK 


We  further  note  that  p  =  c3  exceeds  the  penalty 
incurred  by  not  supplying  one  mmbbl  /  day  because 
cx  >  0.  Thus,  letting  p  =  (p,p, ...  ,p)  and  P  =  diag(p), 
the  max-min  attacker-defender  model  becomes 


Actually,  a  cost-attack  model  like  ADI  will  some¬ 
times  apply  directly  to  infrastructure  analysis.  For 
instance,  suppose  that  DO,  with  constraints  (5)  elim¬ 
inated,  corresponds  to  a  minimum-traversal-time 
(shortest-path)  problem  in  a  road  network.  Rather 
than  having  an  attack  on  link  k  reduce  that  link's 
capacity,  a  more  natural  model  may  simply  add 
a  delay  dk  to  the  nominal  traversal  time  ck.  Thus,  this 
model  becomes 

(AD1r)  maxmin  (c  +  xJD)y 

xeX  y>0 

s.t.  Ay  =  b 

(Israeli  and  Wood  2002),  where  D  =  diag(d),  with  d 
being  the  vector  of  delays  dk.  (Flereafter,  we  will  not 
announce  the  bold,  vector  versions  of  variables  and 
data,  except  when  used  to  define  matrices  such  as  D.) 

Defender- Attacker  Models 

The  solution  of  an  attacker-defender  model  identifies 
a  set  of  most-critical  assets  (components)  for  a  system. 
The  ability  to  identify  such  assets  leads  to  some  obvi¬ 
ous  heuristics  for  approximating  the  solution  to  the 
"optimal  defense  problem,"  i.e.,  for  identifying  a  near- 
optimal  defense  plan,  given  a  limited  defense  budget. 
But,  how  do  we  identify  truly  optimal  solutions? 

In  theory,  one  merely  embeds  the  bilevel  attacker- 
defender  model  in  a  trilevel  defender-attacker-de¬ 
fender  model  (DAD)  such  as 

(DAD)  min  max  min  cy.  (15) 

wsIV  xgX(w)  yGY(x) 


(ADlp)  maxmin  (cx  +  xrP)y1  +  c2y,  +  c3y3  (12) 

xeX  y>0 

s.t.  Ayx  —  f2y2  +  f3y3  =  b,  (13) 

fy,<u.  (14) 

We  leave  it  to  the  reader  to  take  the  dual  of  the 
inner  minimization  to  create  AD1P-MILP.  However, 
there  is  a  caveat:  The  quality  of  the  LP  relaxation 
of  that  MILP  will  depend  directly  on  how  small  the 
penalties  pk  are.  Therefore,  the  modeler  may  need  to 
work  to  identify  small,  valid  values.  For  instance,  for 
any  e  >  0,  each  pk  in  AD1P  can  be  validly  reduced  to 
pk  —  cx  min  +  s,  where  cl  min  is  the  smallest  shipping 
cost  a  demand  might  incur  while  being  satisfied. 


Here,  w  denotes  a  binary  vector  of  defensive  deci¬ 
sions  (e.g.,  wk  =  1  if  asset  k  is  hardened  and  made 
invulnerable,  and  wk  =  0,  otherwise),  w  e  W  denotes 
the  binary  restrictions  on  w  together  with  budgetary 
and  other  possible  constraints,  and  the  inner  max¬ 
min  problem  simply  represents  an  attacker-defender 
model  with  a  restricted  set  of  attack  strategies,  X(w). 
Thus,  the  defender  wishes  to  identify  a  defense  plan 
w*  so  that  when  the  attacker  solves 

max  min  (16) 

xeX(w*)yeY(x) 

the  "benefit"  the  attacker  perceives,  i.e.,  the  worst 
damage  the  attacker  can  inflict,  is  minimized. 
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In  general,  we  believe  that  DADs  will  solve  only 
with  difficulty  because  conversion  to  a  monolithic 
MILP  will  usually  be  impossible,  necessitating  more 
complicated  decomposition  techniques.  We  discuss 
this  topic  later  in  the  paper.  Fortunately,  certain 
optimal-defense  problems  lend  themselves  to  eas¬ 
ier  bilevel,  defender-attacker  models  of  the  following 
form: 

Indices 

k  asset  the  defender  may  want  to  defend,  and  the 
attacker  may  want  to  attack  (we  use  a  one-to-one 
relationship  here  for  simplicity). 

Data 

ck  value  to  the  attacker  of  attacking  undefended 
asset  k. 

pk  reduction  in  value  of  attacking  asset  k  if  that  asset 
is  defended,  i.e.,  the  attacker  receives  benefit  ck  + 
pk,  pk  <  0,  by  attacking  defended  asset  k. 

Variables 

)1  if  the  defender  defends  his  fcth  asset, 

0  otherwise. 

1  if  the  defender's  kth  asset  is  attacked, 

0  otherwise. 

Constraints 

xeX  resource  constraints  and  binary  restrictions 
on  the  defender's  defense  plan,  e.g.,  X  = 
{x  e  {0,  1}"  |  Gx  <  f). 

ye  Y  resource  constraints  and  binary  restrictions 
on  the  attacker's  attack  plan,  e.g.,  Y  = 
{ye{0,l}"|Ay  =  b}. 

Formulation 

(DAI)  minmax(c  +  xTP)y. 

xeX  y  eY 

A  simplified  example  illustrates  this  model.  Sup¬ 
pose  that  intelligence  reports  indicate  that  a  terror¬ 
ist  organization,  "the  attacker,"  intends  to  send  out 
b  teams  to  attack  b  different  subway  stations  in  a 
city  having  M  >  b  total  stations.  Municipal  authori¬ 
ties,  "the  defender,"  have  m  <  M  teams  with  which  to 
defend  stations.  The  value  to  the  defender  of  station  k 
is  ck  >  0,  and  we  assume  that  the  attacker  assigns  the 
same  values.  Let  pk  —  —ck.  Thus,  a  defended  station 


becomes  invulnerable,  and  the  attacker  gains  no  bene¬ 
fit  by  attacking  it.  We  formulate  this  "subway-defense 
problem"  as 

M 

(DA1sub)  min  max  J^(ck+xkpk) yk  (17) 

xsX  y£{0,l)M  k=1 

M 

s-t.  Y.Vk  =  b'  (18) 

k= 1 

where  X  =  jx e  {0, 1)M  |  Xk=ixk  =  m }■ 

In  general,  DAI  and  instances  like  DA1SUB  are  dif¬ 
ficult  to  solve  because  the  inner  maximization  is  not 
an  LP.  Thus,  no  general  transformation  exists  to  con¬ 
vert  DAI  into  an  MILP  as  we  converted  ADI  into 
AD1-MILP.  This  can  be  resolved  in  one  of  three  ways: 

Case  1 .  We  decide  that  continuous  attack  effort  rep¬ 
resents  a  reasonable  approximation  of  reality;  there¬ 
fore,  we  convert  Y  to  YCont  =  ly  e  X"  |  Ay  =  b,  y  <  1) 
(Golden  1978). 

Case  2.  The  LP  relaxation  of  Y,  YLP  =  |y  e  R"  | 
Ay  =  b,  y  <  1),  yields  intrinsically  binary  solutions, 
making  a  conversion  from  DAI  into  DA1-MILP  pos¬ 
sible.  Such  is  the  situation  with  DA1SUB,  and  we  invite 
the  reader  to  work  out  the  details.  Typically,  Case  2 
will  arise  when  YLP  corresponds  to  a  network-flow 
problem  which,  having  a  totally  unimodular  con¬ 
straint  matrix,  possesses  integer  extreme  points  (e.g., 
Ahuja  et  al.  1993,  pp.  447-449).  Indeed,  YLP  for  DA1SUB 
describes  a  simple  network  flow  problem.  Brown  et  al. 
(2005b)  present  a  more  complex  instance  involving 
theater  ballistic  missile  defense. 

Case  3.  Neither  of  the  cases  above  pertains,  and  we 
must  include  restriction  ye  {0,1}"  in  the  definition 
of  Y. 

Case  3  requires  special  techniques  to  solve,  but 
solution  methods  better  than  brute-force  enumeration 
do  exist  (e.g.,  Israeli  and  Wood  2002,  Skroch  2005). 
This  paper  focuses  on  Cases  2  and  3  because  Case  1 
seems  unrealistic  for  our  applications. 

We  offer  one  final  observation  on  the  DA  model. 
DA  cannot  incorporate  a  detailed  operational  model 
of  the  defender's  system.  However,  by  manipulating 
x  e  X,  we  can  describe  limited  operational  detail.  For 
instance,  suppose  that  the  defender's  system  loses 
value  c  >  0  if  either  asset  k  or  k!  is  attacked  (when 
undefended),  but  loses  no  additional  value  if  both 
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k  and  k'  are  attacked.  The  constraint  xk  +  xk,  <  1  han¬ 
dles  this  situation  perfectly  when  added  to  the  con¬ 
straints  defining  X. 

Defender- Attacker-Defender  Models 

Although  difficult,  we  can  sometimes  solve  a  trilevel 
DAD  model  exactly,  to  prescribe  an  optimal  defen¬ 
sive  plan  for  an  infrastructure  system.  The  DAD  must 
assume  a  fixed  level  of  offensive  resources,  but  results 
will  be  believable  if  we  make  appropriately  conserva¬ 
tive  assumptions.  For  instance,  can  we  really  believe 
that  a  group  of  terrorists  will  be  able  to  strike  more 
than  10  electric  power  substations  simultaneously  in 
a  particular  region?  Limiting  the  number  of  attacks  to 
10  may  be  deemed  appropriately  conservative. 

For  simplicity,  we  assume  that  if  asset  k  is  de¬ 
fended,  i.e.,  w k  =  1,  then  that  asset  becomes  invul¬ 
nerable.  We  let  h+  =  max{0,  h )  apply  componentwise 
in  a  vector,  so  that  (x  —  w)+  denotes  the  "net  attack 
plan"  that  results  from  attack  plan  x  implemented 
against  defense  plan  w.  Using  ADO  as  the  inner, 
bilevel  model,  the  trilevel  model  becomes 

(DADO)  z*D  —  min  max  min  cy 

w€ W  xeX  yeY 

s.t.  Ay  =  b, 

0<y  <  U(l-  (x-  w)+). 

We  warned  about  taking  the  dual  of  the  inner  min¬ 
imization  before,  but  now  we  have 


min  max  max  ab  r  +  p  U  (1  — 

wgW  xgX  a,p 

(x-w)+) 

(19) 

s.t.  aA  +  |3f<c, 

(20) 

P<0, 

(21) 

min  z 

weW,  z 

(22) 

s.t.  z>a,br  +  p;U(l-(: 

*/-w)+). 

l  e  L, 

(23) 

where  L  enumerates  all  combinations  of  maximal 
attack  plans  x  e  X  and  extreme  points  (a,  p)  from  (20) 
and  (21). 

The  final  formulation  indicates  that  DADO  can  be 
solved  just  as  we  might  solve  a  DA  with  a  Benders 
decomposition,  except:  (1)  the  subproblems  will  be 


instances  of  AD  solved  via  ADI,  and  (2)  the  mas¬ 
ter  problem  will  require  constructs  to  handle  the  "+" 
operator.  The  fact  that  the  subproblems  can  be  solved 
by  decomposition  leads  to  interesting  possibilities  for 
a  "nested  decomposition"  (O'Neill  1976). 

We  have  only  just  begun  to  explore  DADs,  and  a 
host  of  alternative  or  complementary  solution  tech¬ 
niques  must  be  tested.  One  technique  has  already 
proven  useful — the  addition  of  "super-valid  inequal¬ 
ities"  (Israeli  and  Wood  2002)  to  the  relaxed  mas¬ 
ter  problem,  i.e.,  the  version  of  the  master  problem 
(22)— (23),  that  is  solved  during  the  Benders  decompo¬ 
sition  algorithm.  In  particular,  as  the  algorithm  gen¬ 
erates  each  Benders  cut  (23)  based  on  a  new  solution 
w„  we  also  add  a  constraint  that  represents  w  ^  w,. 
The  upper  bound  from  the  relaxed  master  problem 
remains  valid  if  we  have  not  identified  an  optimal 
solution;  if  we  have  identified  such  a  solution,  the 
value  of  the  bound  is  irrelevant.  Because  w  is  binary, 
simple  linear  constraints  will  implement  the  super- 
valid  inequalities. 

Actually,  one  can  implement  a  version  of  Benders' 
decomposition  with  a  master  problem  whose  con¬ 
straints  consist  only  of  super-valid  inequalities,  and 
with  an  objective  function  that  represents  any  of 
the  lower-bounding  functions  in  (23).  Brown  (2005) 
applies  this  technique  to  a  model  for  planning  the 
reconstruction  of  the  Iraqi  oil  pipeline  system  and 
defending  it  from  insurgents. 

Three  Examples 

This  section  describes  AD,  DA,  and  DAD  models 
applied  to  problems  of  protecting  specific  instances 
of  critical  infrastructure.  We  have  created  and  tested 
many  of  these  models  by  (1)  defining  a  hypothetical 
but  realistic  scenario,  (2)  assembling  a  "red  team"  of 
well-trained,  military  officer-students  to  gather  data 
from  strictly  public  sources,  (3)  advising  the  team  on 
creating  and  solving  an  appropriate  model,  and  (4) 
helping  analyze  results. 

The  results  have  led  to  valuable  insights.  We  have 
found  cases  in  which  a  given  set  of  attackers  can 
do  more — or  less — damage  than  we  would  have  pre¬ 
dicted,  and  sometimes  the  attacks  do  not  target  the 
"obvious"  components  revealed  in  single-point-of- 
failure  analysis. 
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The  Strategic  Petroleum  Reserve: 

Attacker-Defender 

We  first  consider  the  US  Strategic  Petroleum  Reserve 
(SPR),  which  stores  700  million  barrels  of  crude  oil  in 
underground  caverns,  and  which  can  deliver  this  oil 
(about  two  months'  supply  for  the  United  States)  via 
its  pumps  and  pipelines  to  refiners,  ports,  and  export 
pipelines.  Terrorists  have  certainly  planned  attacks  on 
infrastructure  like  the  SPR  elsewhere  in  the  world 
(Luft  and  Korin  2003). 

We  seek  a  defensive  plan  for  a  section  of  the  SPR 
that  lies  in  Louisiana.  (We  base  Figure  1  on  a  series 
of  telephone  and  e-mail  discussions  during  April 
and  May  2005  with  J.  Holbrook  and  P.  Withers,  ana¬ 
lysts  for  the  Space  Countermeasures  Hands  On  Pro¬ 
gram  at  Kirtland  Air  Force  Base,  Albuquerque,  NM.) 
Figure  1  depicts  that  section  as  a  network,  showing 
(1)  the  Bayou  Choctaw  and  West  Hackberry  storage 
sites  as  source  nodes,  (2)  four  refineries,  four  ports, 
and  14  export  pipelines  as  sink  nodes,  (3)  a  number 
of  pumping  stations  and  junctions  as  transshipment 
nodes,  and  (4)  a  number  of  pipeline  sections  connect¬ 
ing  the  nodes  as  network  arcs. 

We  suppose  that  the  United  States  is  in  a  state  of 
emergency  and  that  the  defender  requires  maximum 
output  from  the  SPR  and  consequently  measures  the 


Figure  1:  The  US  Strategic  Petroleum  Reserve  has  two  storage  locations 
in  Louisiana  connected  by  a  system  of  pumps  and  pipelines  to  refiners, 
ports,  and  export  pipelines.  We  model  defense  of  the  maximum  system 
output.  Several  simple  defense  plans  make  the  system  highly  robust 
against  multiple  attacks  (Benedetto  et  al.  2005). 


"cost"  of  operating  the  system  in  terms  of  any  reduc¬ 
tion  below  that  maximum.  We  could  create  a  formal 
DAD  as  the  basis  for  analysis — the  network  is  small 
and  the  corresponding  DAD  would  solve  easily.  How¬ 
ever,  we  imagine  that  analysts  have  just  begun  their 
work,  and  prefer  to  explore  a  set  of  discrete  options 
to  "get  a  feel  for  the  problem."  So,  for  this  limited 
scenario,  the  analysts'  toolkit  consists  of  the  attacker- 
defender  model  ADlp,  (Equations  (12)— (14)). 

Analysts  working  for  the  SPR  would  have  precise 
data  for  pipeline  capacities  and  pumping  rates,  but 
we  believe  that  our  estimates,  derived  from  public 
sources,  should  suffice  for  purposes  of  demonstra¬ 
tion.  They  should  also  suffice  for  purposes  of  a  ter¬ 
rorist  organization.  Now,  for  each  of  three  defensive 
options,  we  evaluate  optimal  attack  plans  assuming 
that  the  attacker  can  destroy  no  network  components 
(nodes  or  arcs),  one  component,  two  components,  and 
so  forth.  The  options  and  results  follow. 

Defense  Option  A:  Baseline,  no  defense.  The  destruc¬ 
tion  of  only  two  system  components,  the  sources, 
reduces  optimum  system  output  to  zero  (i.e.,  leads  to 
the  most  costly  system  operation  possible).  Thus,  a 
sensible  defensive  plan  must  include  the  sources. 

Defense  Option  B:  Protect  critical  core  components.  We 
discover  a  "critical  backbone"  of  components,  which, 
if  protected,  ensures  connection  of  the  two  sources  to 
many,  normally  redundant,  parts  of  the  distribution 
network.  With  the  backbone  defended,  at  least  seven 
(undefended)  components  must  be  destroyed  before 
maximum  system  output  drops  below  half. 

Defense  Option  C:  Protect  a  10-mile-radius  security 
zone  around  each  source.  This  protects  three-quarters  of 
the  system  capacity  for  any  conceivable  number  of 
attacks. 

Border  Patrol:  Defender-Attacker 

The  porosity  of  the  United  States'  borders  has  re¬ 
ceived  much  attention  in  recent  years,  with  empha¬ 
sis  placed  on  the  lack  of  border-patrol  resources  (e.g.. 
General  Accounting  Office  2004).  We  believe  that 
operations  research  can  help  make  better  use  of  lim¬ 
ited  budgetary  and  human  resources  here.  In  partic¬ 
ular,  we  want  to  improve  the  probability  that  border 
defenses  will  detect  an  alien,  who  may  be  a  terrorist, 
trying  to  infiltrate  the  country  from  Mexico.  For  sim¬ 
plicity,  we  assume  a  single  "infiltrator"  will  choose 
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Figure  2:  Limited  patrol  assets  can  be  allocated  optimally  to  detect  illegal 
incursions  into  the  United  States  through  the  Yuma,  Arizona  border  area. 
A  map  of  the  area  is  overlaid  with  a  skeleton  of  a  network  that  represents 
potential  infiltration  routes  from  Mexico.  Arcs  not  shown  represent  move¬ 
ments  from  border  entry  points  through  sensor  fields,  and  along  roads  and 
footpaths.  The  dark  nodes  identify  a  route  that  minimizes  the  maximum 
probability  of  detection  for  an  infiltrator  (Pulat  2005). 

from  among  a  set  of  well-known  routes  to  attempt  to 
enter  the  United  States. 

Figure  2  shows  a  map  of  the  Yuma  border  area, 
along  with  a  skeleton  of  the  "infiltration  network" 
that  describes  the  paths  an  infiltrator  could  take  from 
Mexico,  into  the  United  States  through  conventional 
portals,  or  via  incursions  over  roads  or  footpaths.  (The 
full  network  contains  too  many  arcs  to  depict.)  The 
intent  is  to  spend  a  limited  security  budget  on  pro¬ 
cedural  changes,  sensors,  road  patrols,  and  helicopter 
patrols  to  increase  detection  probabilities  on  individ¬ 
ual  arcs  and  thereby  maximize  overall  detection  prob¬ 
ability.  The  options  for  procedural  changes  include 
closing  off  certain  legal  portals,  and  using  sensors  or 
helicopter  patrols  for  detection  and  cueing  ground 
units.  Ground  units  are  vehicles  and  crews  that  we 
position  independently,  or  position  to  follow  up  on 
cues  from  helicopter  patrols. 

Probability  of  nondetection  proves  to  be  a  useful  con¬ 
cept  for  modeling  this  problem.  For  simplicity,  we 
assume  that  every  arc  k  in  the  network  possesses 
a  nominal  probability  1  >  qk  >  0:  This  is  the  current 
probability  of  nondetection  if  the  infiltrator  traverses 
arc  k.  If  we  spend  ck  dollars  at  arc  k,  a  new  sensor  will 


be  installed,  or  a  new  procedure  implemented,  and 
the  nondetection  probability  becomes  cjk  >  0,  with  cjk  < 
qk.  (Note  that  (1)  The  model  extends  easily  to  handle 
multiple  options  for  reducing  nondetection  probabil¬ 
ity  on  an  arc,  (2)  completely  closing  off  an  arc  k  can 
be  handled  by  setting  qk  arbitrarily  close  to  zero,  (3) 
an  artificial  arc  k  connects  each  entry  point  to  an  arti¬ 
ficial  source  node  s,  with  qk  —  qk  —  1,  and,  similarly  (4) 
an  artificial  arc  k  connects  each  node  representing  a 
completed  infiltration  to  an  artificial  sink  node  f,  with 
<]k  =  ‘ik  =  1-) 

We  seek  to  spend  a  budget  of  c'  dollars  to  minimize 
the  maximum  probability  of  nondetection  along  any 
path  the  infiltrator  might  take.  If  we  assume  indepen¬ 
dence  of  detection  events,  this  model  can  be  formu¬ 
lated  as  follows  (see  the  related  model  in  Pan  et  al. 
2003): 

Indices  and  Structural  Data 

i  e  JV  nodes  of  the  infiltration  network. 
k  e  si  directed  arcs  of  the  infiltration  network. 
*§  =  (JV,  si)  infiltration  network. 

Variables 

)1  if  the  defender  upgrades  security  on  arc  k, 

0  otherwise. 

1  if  the  attacker  traverses  arc  k  when  xk  —  0 , 

0  otherwise. 

1  if  the  attacker  traverses  arc  k  when  xk  =  1 , 

0  otherwise. 

Data 

A  node-arc  incidence  matrix  for  h. 
b  node-length  vector  with  bs  =  1,  bt  —  —  1,  and  If  =  0 
for  all  /  e  JV\{s,  t }. 

qk  nominal  probability  of  nondetection  on  arc  k 
when  xk  =  0  (qk  >  0). 

qk  probability  of  nondetection  on  arc  k  when  xk  —  l 

(qk  >  qk  >  0). 

dk  log  qk  (vector  form  d  and  D  =  diag(d)). 
dk  log  qk  (vector  form  d  and  D  =  diag(d)). 
ck  cost  to  upgrade  security  on  arc  k  ($). 
c'  total  budget  for  upgrading  security  ($). 
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Formulation 

(DA1YUma) 

min  max  F[  Xk)yknfkyk 

xeX  y,  y  f  1  1 

33  k£9l 

(24) 

s.t.  Ay  +  Ay  —  b, 

(25) 

y,ye  {0, 1}M, 

(26) 

where  X  =  )xe  {0, 1}^  |  cx  <  c'}. 

Constraints  (25)  and  (26)  ensure  that  one  unit  of 
"unsplittable  flow,"  representing  the  infiltrator,  moves 
from  s  to  t.  Constraints  (25)  are  standard  flow- 
balance  constraints,  just  like  those  that  would  model 
a  shortest-path  problem  in  ‘S'  =  (Jf,  si  U  si'),  where  si1 
duplicates  si. 

We  then  apply  a  standard  logarithmic  transforma¬ 
tion  to  the  objective  function  to  obtain  this  equivalent 
model: 

(D A2yuma)  min  max  (1  —  x) 1  Dy  +  x 1  Dy 

xeX  y,  y>0 

s.t.  Ay  +  Ay  =  b. 

Simple  nonnegativity  restrictions  replace  con¬ 
straints  (26),  because  the  constraint  matrix  in  (25)  is 
totally  unimodular.  Indeed,  for  fixed  x,  the  model 
defines  a  shortest-path  problem  on  <§'  if  one  multiplies 
D  and  D  by  —  l,  and  switches  the  maximization  to  a 
minimization.  This  model  converts  easily  to  an  MILP. 
(See  Case  2  in  the  Defender-Attacker  Models  section.) 

We  use  standard  search-theory  to  estimate  detection 
probabilities  on  arcs.  Although  absolute  statistics  are 
of  questionable  value,  relative  results  are  plausible. 
The  results  for  four  different  resources  scenarios  are 
summarized  below.  Note  that  the  results  are  specified 
in  terms  of  probability  of  detection,  not  nondetection. 

Baseline  Scenario  1,  no  security  improvements.  An  infil¬ 
trator  would  cross  the  border  and  traverse  downtown 
Yuma,  exiting  the  city  to  the  northeast.  Probability  of 
detection  =  0.04. 

Scenario  2,  one  check  point,  one  remote  observation  post, 
two  road  patrols,  sensors  to  cover  at  most  15  road  seg¬ 
ments,  and  one  helicopter,  all  visible  to  the  infiltrator. 
Probability  of  detection  =  0.07. 

Scenario  3,  tivo  check  points,  one  remote  observation 
post,  tivo  road  patrols,  sensors  to  cover  at  most  15  road 
segments,  and  one  helicopter,  all  visible  to  the  infiltrator. 
Probability  of  detection  =  0.11. 


Scenario  4,  surprise  interdiction  of  downtown  Yuma 
infiltration  route.  One  hidden  sensor  field  and  two  sur¬ 
prise  roadblocks  are  located  optimally.  The  probabil¬ 
ity  of  detection  rises  to  0.6  because  information  has 
been  hidden  from  the  infiltrator.  This  represents  an 
interesting  use  of  a  Stackelberg  game  in  which  we  fool 
the  follower  ("infiltrator"  or  "attacker")  into  playing 
one  game  but  evaluate  success  according  to  another 
that  is  more  advantageous  to  the  leader  ("defender"). 
This  game  will  be  played  many  times,  however,  and 
the  infiltrator  will  eventually  catch  on  to  the  ruse. 
Two-person  zero-sum  game  theory  may  be  needed 
here. 

Electric  Power  Grids:  Defender-Attacker-Defender 

We  have  produced  a  complete  decision-support  sys¬ 
tem  called  the  Vulnerability  of  Electric  Grids  Ana¬ 
lyzer  (VEGA)  that  uses  an  AD  model  to  identify 
critical  components  in  a  power  grid  (Salmeron  et  al. 
2004a,  b;  Brown  et  al.  2005a).  Criticality  of  grid  com¬ 
ponents  is  measured  through  "disruption,"  which 
may  be  viewed  as  the  penalty  for  unserved  demand, 
weighted  by  different  customer  sectors.  (Disruption 
includes  a  small  factor  for  actual  generation  costs,  but 
we  ignore  that  in  this  paper.)  We  assume  that  a  group 
of  terrorists,  using  limited  offensive  resources,  will 
attack  and  destroy,  i.e.,  "interdict,"  grid  components 
to  maximize  disruption. 

In  VEGA,  a  set  of  standard  "optimal  DC  power- 
flow  submodels"  (DCOPFs)  comprise  DO,  the  inner, 
minimizing  LP  (Wood  and  Wollenberg  1996,  p.  514). 
Each  submodel  looks  just  like  the  pipeline  model 
(D0P),  constraints  (9)— (11),  except  that  (1)  the  network 
is  an  electrical  grid  instead  of  a  pipeline  network;  (2) 
the  commodity  flowing  through  the  network  is  elec¬ 
trical  current  instead  of  oil;  and  (3)  the  model  adds 
linearized  admittance  constraints  for  AC  lines.  This 
LP  approximates  the  "true,"  nonlinear  AC  model,  but 
the  industry  deems  it  adequate  for  security  analyses. 
In  fact,  an  independent  system  operator  may  solve  a 
model  like  this  thousands  of  times  per  day  to  ensure 
that  a  power  grid  maintains  "N  —  1  security,"  i.e.,  can 
still  meet  all  customer  demand  after  any  single  com¬ 
ponent  failure.  In  our  case,  the  submodels  represent 
different  system  states  as  demand  varies  and  repairs 
proceed,  over  time,  after  an  attack. 

Ultimately,  we  wish  to  identify  the  best,  budget- 
limited  set  of  protective  measures  for  the  power  grid. 
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i.e.,  to  solve  an  instance  of  DAD  with  VEGA's  current 
model  representing  the  "AD"  part  of  "DAD."  We 
have  developed  such  a  DAD  model  for  VEGA,  but 
cannot  yet  solve  full-scale  problems  as  we  can  for 
AD.  Consequently,  the  example  described  below  only 
covers  a  modest-size  test  system  from  the  Institute  of 
Electrical  and  Electronics  Engineers  (IEEE). 

We  make  a  number  of  assumptions  to  simplify  the 
presentation:  Only  power  lines  can  be  interdicted, 
and  thus  only  power  lines  need  defending;  all  lines 
require  the  same  amount  of  time  to  repair;  and  load 
(demand)  remains  constant.  Thus,  we  concern  our¬ 
selves  only  with  the  instantaneous  unserved  demand 
for  power  and  solve  only  a  single  DCOPF  to  evaluate 
the  inner  model,  DO. 

Under  the  above  assumptions,  the  following  model 
describes  a  valid  master  problem  for  this  DAD,  taking 
the  place  of  (22)— (23): 

z*  =  min  z  (27) 

weW,  z 

s.t.  z  >/(x,)+  J2  PikUk^k'  ^eL,  (28) 

k\x,t=l 

where  /(x;)  evaluates  the  disruption  caused  by  inter¬ 
diction  plan  (attack  plan)  xu  i.e.,  "load  shedding" 
(unmet  demand  for  electricity)  or  its  cost;  uk  denotes 
the  capacity  of  line  k;  and  filk  is  the  optimal  dual  vari¬ 
able  on  the  capacity  constraint  that  must  be  enforced 
when  xtk  =  1 ,  namely,  14.  <  0. 

The  formulation  (27)-(28)  ignores  the  fact  that  an 
attack  not  only  drops  the  capacity  of  a  line  to  zero,  but 
also  eliminates  one  or  more  admittance  constraints 
that  relate  phase  angles  of  power  flows  on  inter¬ 
connected  lines.  Thus,  a  partial  benefit  may  actu¬ 
ally  accrue  to  the  system  because  of  an  attack.  This 
means  that  when  interdicted  line  k  is  retrospectively 
defended,  i.e.,  the  master  problem  sets  wk  =  1  for 
some  xlk  =  1,  so  that  (xlk  —  wk)+  —  0  (see  DADO),  then 
we  should  account  for  the  negative  benefit  accrued 
by  re-enforcing  one  or  more  admittance  constraints. 
However,  we  ignore  this  effect.  The  negative  bene¬ 
fit  could  serve  to  reduce  the  coefficients  fiik  in  (28) 
and  thereby  strengthen  the  master  problem.  But,  the 
master  problem  remains  valid  because  each  constraint 
in  (28)  defines  a  valid  lower-bounding  function  on 
z*,  and  the  solution  to  the  final  master  problem 


returns  the  true  objective-function  value  for  DADO 
for  any  explicitly  evaluated  solution  w;  e  W.  (This  is 
true  because  whenever  the  master  problem  returns 
w;  e  W,  we  will  immediately  solve  for  a  correspond¬ 
ing  optimal  interdiction  plan  x(,  with  objective  value 
/(x,),  and  add  a  Benders  cut  (28)  to  the  master  prob¬ 
lem.) 

A  hypothetical  grid  known  as  "Reliability  Test  Sys¬ 
tem  with  Two  Areas"  (Institute  of  Electrical  and 
Electronics  Engineers  1999)  defines  our  test  scenario 
(Figure  3).  This  grid  comprises  48  buses  (nodes),  69 
power  lines  (which  allow  flow  of  electricity  in  both 
directions),  and  10  high-voltage  transformers  in  four 
substations  and  66  generating  units.  (However,  recall 
that,  for  simplicity,  only  power  lines  may  be  inter¬ 
dicted.)  Also,  Equation  (26)  is  slightly  modified  to 
account  for  attacks  on  physically  parallel  lines  (14  in 
our  example).  Specifically,  if  two  lines  are  mounted  on 
the  same  towers,  an  attack  on  one  implies  an  attack 
on  both.  We  allow  n  —  4  interdictions  (attacker's 
resource),  but  assume  that  we  can  prevent  interdiction 
on  m  — 8  lines  (defender's  resource). 

Using  our  AD  model,  it  is  relatively  easy  to  find  an 
optimal  interdiction  plan  on  the  undefended  network, 
i.e.,  when  w  =  w0  =  0.  The  optimal  lines  to  interdict 
are  X*(w0)  =  {A18,  A21,  A23,  A26),  yielding  a  cost  of 
$915,023/hour  based  on  a  load-shedding  penalty  of 
$l,000/MWh.  Interestingly,  the  optimal  defense  plan 
for  eight  lines  does  not  cover  all  four  of  the  lines 
in  X*(w0).  In  fact,  W*  =  {A18,  A23,  A32-1,  A33-1,  B21, 
B23,  B27,  B28),  which  includes  only  two  lines  from 
the  optimal,  undefended  interdiction  plan.  With  this 
defense,  denoted  by  the  vector  w*,  the  best  inter¬ 
diction  plan  becomes  X*(w*)  =  {All, A12-1,  Bll, 
B12-1),  and  the  defended  system  now  costs  only 
$421,028/hour.  (Note  that  the  attacker  does  not  inter¬ 
dict  the  now-undefended  lines  {A21,  A26).) 

Next,  let  us  show  that  forcing  a  defense  plan 
to  cover  the  optimal,  undefended  interdiction  plan 
X*(w0)  would  result  in  a  substantial  misuse  of  defen¬ 
sive  resources.  Such  a  defense  might  result  from  a 
planner  using  a  natural,  defensive  rule  of  thumb: 
Completely  defend  against  the  worst-case  interdiction 
plan,  and  use  your  remaining  defensive  resources  as 
advantageously  as  possible.  To  simulate  this  rule  of 
thumb,  we  fix  variables  in  the  DAD  to  defend  {A18, 
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Figure  3:  Reliability  Test  System  with  Two-Areas  (after  Institute  of  Electrical  and  Electronics  Engineers  1999). 
This  “one-line  diagram”  describes  a  hypothetical  electric  power  transmission  grid  used  here  to  illustrate  optimal 
and  suboptimal  defensive  plans  evaluated  through  a  formal,  trilevel,  defender-attacker-defender  model. 


A21,  A23,  A26(,  and  allow  the  model  to  select  opti-  Supply  Chains  and  Other  Systems 

mally  the  remaining  four  defended  lines.  The  full.  Supply  chains,  i.e.,  physical-distribution  systems,  are 

suboptimal  defense  plan  becomes  W  —  {A18,A21,  a  key  infrastructure  of  companies  that  manufacture 

A23,  A26,  A27,  A28,  B21,  B28j,  also  denoted  by  the  or  distribute  goods.  Supply  chains  are  critical  to  our 

vector  w'.  The  attacker  counters  w'  by  interdicting  nation's  well-being  despite  their  omission  from  the 

lines  X*(w')  =  {A12-1,  B18,  B23,  B26(,  yielding  a  cost  Department  of  Homeland  Security  (2002)  list  of  crit- 

of  $538,192/hour — almost  28  percent  higher  than  opti-  ical  infrastructure.  For  example,  Wein  and  Liu  (2005) 

mal.  This  percentage  would  likely  be  even  higher  in  describe  how  thousands  of  people  could  be  killed  by 

the  real  world:  Presumably,  a  planner  who  subopti-  the  introduction  of  botulinum  toxin  at  various  points 

mally  forces  defense  of  X*(w0),  will  not  optimally  alio-  in  a  milk  production,  transportation,  and  processing 

cate  his  remaining  defensive  resources,  either.  chain. 
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Strategic  supply  chain  design  for  reducing  costs 
and  improving  service  levels  has  a  long  and  success¬ 
ful  record  in  the  United  States.  Unfortunately,  efficient 
supply  chains  are  highly  vulnerable  to  attack.  In  fact, 
after  scrupulously  investing  exactly  the  right  amount 
of  money  in  a  supply  chain,  on  exactly  the  right  bot¬ 
tlenecks,  the  resulting  product-flow  channels  resem¬ 
ble  one  or  more  spanning  trees.  However,  a  spanning 
tree  is  maximally  fragile:  Breaking  any  link  discon¬ 
nects  the  network. 

Brown  et  al.  (2003a,  b,  2004)  and  INSIGHT  (2006) 
address  supply  chain  vulnerability.  Our  most  impor¬ 
tant  "result"  is  an  observation:  We  still  encounter 
considerable  confusion  in  the  private  sector  between 
random  acts  of  nature — these  have  been  studied 
by  insurance  actuaries  for  centuries — and  belligerent 
acts  of  an  intelligent  attacker  who  observes  defen¬ 
sive  preparations  and  acts  to  maximize  damage.  We 
strongly  suggest  remedying  this  confusion  before  pro¬ 
ceeding  with  any  analysis. 

Sometimes,  one  can  reduce  vulnerability  substan¬ 
tially  with  simple  planning  and  with  only  a  modest 
investment  in  new  physical  infrastructure:  Strategi¬ 
cally  relocating  surge  capacity  may  provide  benefit 
at  virtually  no  cost.  This  contrasts  with  the  high  cost 
of  adding  redundant  capacity,  or  hardening  compo¬ 
nents,  in  other  types  of  infrastructure. 

We  have  learned  to  model  competitors  and  dis¬ 
satisfied  labor  unions  as  attackers  because  they  seek 
to  maximize  damage  inflicted  (e.g.,  to  market  share, 
profit,  or  reputation).  For  instance,  the  labor  dispute 
that  resulted  in  denial  of  access  to  west  coast  ports  in 
the  United  States  in  2002  was  no  less  damaging  than 
the  anthrax  attacks  of  2001  that  closed  eastern  postal 
services. 

We  have  presented  our  findings  to  numerous  com¬ 
panies  and  have  received  enthusiastic  responses. 
American  companies  now  have  senior  executives 
focused  on  "corporate  continuity."  These  positions 
were  originally  motivated  by  threats  to  information 
systems.  Thus,  back-up  computer  facilities  and  dou¬ 
bly  backed-up  data  have  become  ubiquitous.  Now, 
these  same  companies  are  realizing  that  they  must 
also  back  up  their  physical  operations  to  handle 
attacks  on  their  own  infrastructure  (e.g.,  equipment, 
warehouses)  as  well  as  attacks  on  the  public  infras¬ 
tructure  they  use  (e.g.,  roads,  communications  net¬ 
works). 


Our  work  has  also  led  to  new  military  and  dip¬ 
lomatic  planning  models;  two  have  already  been 
incorporated  into  comprehensive  decision-support 
systems.  One  system  helps  plan  theater  ballistic- 
missile  defense  (Brown  et  al.  2005a).  The  embedded 
defender-attacker  model  optimally  locates  anti-mis¬ 
sile  platforms  (ships  and  ground-based  units  supplied 
with  antimissile  missiles)  while  assuming  the  attacker 
can  see  some  or  all  of  our  defensive  preparations.  The 
other  system  identifies  optimal  actions  (e.g.,  embar¬ 
goes  of  key  materials,  economic  sanctions,  military 
strikes)  to  delay  a  nuclear  weapons  program  (Skroch 
2005,  Harney  et  al.  2006).  In  this  attacker-defender 
model,  we  are  the  attacker.  This  model  applies  to  any 
complex  industrial  project  that  can  be  delayed  by  a 
competitor. 

One  insight  from  these  military  and  diplomatic 
exercises  is  that  the  use  of  deception  and  secrecy  can 
contribute  significantly  to  the  successful  defense  of 
our  critical  infrastructure,  or  to  successful  attacks  on 
an  adversary's  infrastructure.  For  instance,  hiding  the 
location  of  a  defensive  asset  could  cause  an  attacker  to 
strike  an  essentially  invulnerable  target.  When  deal¬ 
ing  with  a  suicide  bomber,  such  an  outcome  could  be 
desirable. 

Even  though  this  work  is  relatively  new,  there 
is  already  a  large  body  of  unclassified  publica¬ 
tions,  including  about  70  red-team  case  studies,  over 
20  graduate  theses,  and  numerous  journal  papers 
from  our  research  team  and  others.  The  topics 
include  those  discussed  in  this  paper  as  well  as  rail 
networks,  domestic  water-distribution  systems,  sea 
routes,  attacks  on  public  events,  and  others.  Further¬ 
more,  several  decision-support  tools  have  been  built 
and  are  actively  being  extended. 

What  We  Have  Learned 

The  answers  are  not  obvious.  The  most  damaging 
coordinated  attacks,  and  the  most  effective  defenses, 
can  be  nonintuitive.  The  United  States  infrastruc¬ 
ture  is  enormous  and  complex.  Analysis  of  such 
a  large  infrastructure  deserves  rigorous,  optimizing, 
decision-support  tools  to  formalize  the  notion  of  a 
transparent,  two-sided  conflict. 

High-fidelity  models  are  achievable.  We  can  for¬ 
mulate,  find  data  for,  and  quickly  solve  high-fidelity 
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models  of  critical-infrastructure  systems.  Simpler, 
aggregated  models  may  appeal,  but  unless  verified 
by  high-fidelity  models,  their  answers  will  always  be 
suspect  and  insights  may  be  lost. 

Heuristics  and  rules  of  thumb  are  useful,  but 
not  for  identifying  vulnerability.  If  we  can  evalu¬ 
ate  vulnerability  precisely,  we  can  create  a  reason¬ 
able  heuristic  to  identify  good,  budget-limited  sets 
of  vulnerability-reducing  defensive  actions.  However, 
using  a  surrogate  measure  of  vulnerability  (e.g.,  node 
degree  and  basic  connectivity  indices  in  a  network) 
leads  to  sensible  defensive  plans  only  if  the  system  is 
very  simple,  or  an  attacker  plans  attacks  using  that 
surrogate.  If  we  base  defensive  measures  on  heuris- 
tically  identified,  "near-optimal"  attacks,  we  risk  an 
attack  by  an  aggressor  who  is  smarter  than  our 
heuristic. 

Reliability  is  not  the  answer.  We  must  protect 
collections  of  critical  components  in  our  infrastruc¬ 
ture  systems,  rather  than  backing  up  the  least-reliable 
components. 

Malicious,  coordinated  attacks  can  be  more  damag¬ 
ing  than  random  acts  of  nature. 

The  attacker  has  the  advantage.  This  is  the  reverse 
of  classical  military  theory  and  occurs,  in  part, 
because  of  the  asymmetric  nature  of  this  conflict:  The 
defender  must  protect  a  huge,  dispersed  target  set, 
while  the  attacker  need  only  focus  on  a  small  set  of 
targets  chosen  to  maximize  damage.  The  attacker  also 
has  an  advantage  in  terms  of  information. 

The  data  are  available  to  everyone.  Governmen¬ 
tal  agencies  have  produced  Web  sites  that  offer  much 
useful  information  to  citizens  and  terrorists  alike. 
While  many  Web  sites  have  been  redesigned  to  reduce 
access  to  potentially  dangerous  information,  excep¬ 
tions  abound.  We  advise  any  owner  of  a  public  Web 
site  to  appoint  an  independent  red  team  to  analyze 
that  site  with  intent  to  cause  harm.  There  must  be 
a  proper  balance  between  the  public's  right  to  know 
and  advertising  our  vulnerabilities. 

Some  systems  are  naturally  robust,  while  others 
are  not.  Our  road  networks  are  remarkably  robust; 
fuel  pipeline-and-storage  systems  are  highly  fragile; 
most  other  systems  lie  somewhere  in  the  middle. 

Hardening  infrastructure  from  attack  can  be  ex¬ 
pensive.  However,  if  we  understand  the  nature  of  the 
most  damaging  attacks,  we  can  improve  a  system's 


robustness  for  a  given  budget.  Critical  infrastructure 
has  been  built  to  be  cost-effective  with  little  concern 
for  belligerent  attacks;  economic  incentives  to  mitigate 
this  situation  are  lacking.  This  requires  (1)  subsidies, 
changes  to  tax  codes,  and  regulatory  reform,  and/or 
(2)  proving  the  secondary  economic  benefit  of  the  nec¬ 
essary  expenditures  (e.g.,  spare  electric  transmission 
capacity  could  provide  new,  profitable  trading  oppor¬ 
tunities). 

However,  there  is  at  least  one  exception  to  the  "can- 
be-expensive"  rule: 

An  appropriate  level  of  redundancy  or  reorganiza¬ 
tion  could  be  inexpensive.  Some  types  of  infrastruc¬ 
ture,  e.g.,  supply  chains,  will  benefit,  at  little  expense, 
by  adding  a  few  alternate  shipping  paths,  or  by  relo¬ 
cating  surge  capacity  wisely. 

Secrecy  and  deception  can  be  valuable.  Two-per¬ 
son  zero-sum  games  (e.g.,  Owen  2001,  pp.  11-31)  have 
secrecy  at  their  core,  and  are  likely  to  be  useful  in  this 
arena,  too. 

Conclusion 

We  face  a  determined,  intelligent  enemy  who  seeks 
to  cause  us  maximum  harm.  Worst-case  analysis 
using  optimization  is  crucial  to  a  credible  assessment 
of  infrastructure  vulnerability  and  for  planning 
mitigating  actions. 

Acknowledgments 

We  thank  the  Air  Force  Office  of  Scientific  Research,  the 
Office  of  Naval  Research,  the  US  Department  of  Homeland 
Security,  the  US  Department  of  Energy,  and  every  US  uni¬ 
formed  military  service  for  their  sustained  research  support. 
We  also  thank  INSIGHT,  Inc.,  for  helping  us  study  how  to 
protect  businesses  against  hostile  threats. 

References 

Ahuja,  R.,  T.  Magnanti,  J.  Orlin.  1993.  Network  Flows.  Prentice  Hall, 
Englewood  Cliffs,  NJ. 

Benders,  J.  1962.  Partitioning  procedures  for  solving  mixed  inte¬ 
ger  variables  programming  problems.  Numerische  Mathematik  4 
238-252. 

Benedetto,  M.,  J.  Bridges,  D.  Doyle,  G.  Spitz.  2005.  Strategic 
Petroleum  Reserve  (SPR)  interdiction.  Red  Team  Report, 
OA4202,  Naval  Postgraduate  School,  Monterey,  CA. 

Brown,  G.,  M.  Carlyle,  J.  Salmeron,  K.  Wood.  2005a.  Analyzing 
the  vulnerability  of  critical  infrastructure  to  attack  and 
planning  defenses.  INFORMS  Tutorials  in  Operations  Research. 
Institute  for  Operations  Research  and  the  Management  Sci¬ 
ences,  Hanover,  MD,  102-123. 


544 


Brown,  Carlyle,  Salmeron,  and  Wood:  Defending  Critical  Infrastructure 
Interfaces  36(6),  pp.  530-544,  ©2006  INFORMS 


Brown,  G.,  M.  Carlyle,  J.  Diehl,  J.  Kline,  K.  Wood.  2005b.  How 
to  optimize  theater  ballistic  missile  defense.  Oper.  Res.  53 
263-275. 

Brown,  G.,  M.  Carlyle,  T.  Harrison,  J.  Salmeron,  K.  Wood.  2003a. 
How  to  attack  a  linear  program.  Presented  at  71st  Military 
Operations  Research  Society  Symposium,  Quantico,  VA,  June 
10-12. 

Brown,  G.,  M.  Carlyle,  T.  Harrison,  J.  Salmeron,  K.  Wood.  2003b. 
Tutorial:  How  to  build  a  robust  supply  chain  or  harden  the  one 
you  have.  Presented  at  INFORMS  Annual  Meeting,  Atlanta, 
GA,  October  19-22. 

Brown,  G.,  M.  Carlyle,  T.  Harrison,  J.  Salmeron,  K.  Wood.  2004. 
Designing  robust  supply  chains  and  hardening  the  ones  you 
have.  Presented  at  INFORMS  Conf.  on  OR/MS  Practice,  Cam¬ 
bridge,  MA,  April  24-27. 

Brown,  P.  2005.  Optimizing  the  long-term  capacity  expansion 
and  protection  of  Iraqi  oil  infrastructure.  Master's  thesis. 
Operations  Research  Department,  Naval  Postgraduate  School, 
Monterey,  CA. 

Cormican,  K.,  D.  Morton,  K.  Wood.  1998.  Stochastic  network 
interdiction.  Oper.  Res.  46  184-197. 

Department  of  the  Army  (DO  A) .  2000a .  Army  Field  Man  ual  FM  3-01.11, 
Appendix  A:  ADA  employment  principles,  guidelines,  and 
priorities.  Retrieved  May  12,  2006  http://www.globalsecurity. 
org/military /library /policy /army/fm/3-01-ll/appa.  htm. 

Department  of  the  Army  (DOA).  2000b.  Army  Field  Manual  FM  44- 
100,  Chapter  4.  Fundamentals  of  army  air  and  missile  defense 
operations.  Retrieved  May  12,  2006  http://www.globalsecurity. 
org/space/library/policy/army/fm/ 44-100/ ch4.htm. 

Department  of  Homeland  Security  (DHS).  2002.  National  strategy 
for  homeland  security.  Retrieved  May  12,  2006  http://www. 
whitehouse.gov/homeland/book. 

Federation  of  American  Scientists  (FAS).  2006.  A1  Qaeda  training 
manual.  Federation  of  American  Scientists.  Retrieved  August  1, 
2006  http://www.fas.org/irp/world/para/aqmanual.pdf. 

Garcia,  M.  L.  2001.  The  Design  and  Evaluation  of  Physical  Protection 
Systems.  Butterworth-Heinemann,  Woburn,  MA. 

General  Accounting  Office  (GAO).  2004.  Border  security:  Agencies 
need  to  better  coordinate  their  strategies  and  operations  on 
federal  lands.  Report  to  Congressional  requesters  GAO-04-590, 
US  General  Accounting  Office,  Washington,  D.C.,  June. 

Golden,  B.  1978.  A  problem  in  network  interdiction.  Naval  Res. 
Logist.  Quart.  25  711-713. 

Harney,  R.,  G.  Brown,  M.  Carlyle,  E.  Skroch,  K.  Wood.  2006. 
Anatomy  of  a  project  to  produce  a  first  nuclear  weapon.  Science 
and  Global  Security.  Forthcoming. 


INSIGHT.  2006.  Strategic  analysis  of  integrated  logistics  systems 
(SAILS).  Manassas,  VA.  Retrieved  May  15,  2006  http://www. 
insight-mss.com/data/SAILS_Product_Descriptionl.pdf. 

Institute  of  Electrical  and  Electronics  Engineers  (IEEE).  1999.  The 
IEEE  reliability  test  system — 1996.  IEEE  Trans,  on  Power  Systems 
14  1010-1020. 

Israeli,  E.,  K.  Wood.  2002.  Shortest-path  network  interdiction.  Net¬ 
works  40  97-111. 

Luft,  G.,  A.  Korin.  2003.  Terror's  next  target.  Institute  for  the  Anal¬ 
ysis  of  Global  Security.  Retrieved  May  10,  2006  http://www. 
iags.org/0111041.htm. 

Moore,  J.,  J.  Bard.  1990.  The  mixed  integer  linear  bilevel  program¬ 
ming  problem.  Oper.  Res.  38  911-921. 

O'Neill,  R.  1976.  Nested  decomposition  of  multistage  convex  pro¬ 
grams.  SIAM  J.  Control  Optim.  14  409M18. 

Owen,  G.  2001.  Game  Theory,  3rd  ed.  Academic  Press,  San  Diego, 
CA. 

Pan,  F.,  W.  Charlton,  D.  Morton.  2003.  A  stochastic  program  for 
interdicting  smuggled  nuclear  material.  D.  L.  Woodruff,  ed. 
Network  Interdiction  and  Stochastic  Integer  Programming.  Kluwer 
Academic  Publishers,  Dordrecht,  The  Netherlands,  1-20. 

Pulat,  H.  2005.  A  two-sided  optimization  of  border  patrol 
interdiction.  Master's  thesis.  Operations  Research  Department, 
Naval  Postgraduate  School,  Monterey,  CA. 

Roberts,  N.,  W.  Vesely,  D.  Haasl,  F.  Goldberg.  1981.  Faidt  Tree 
Handbook.  NUREG-0492,  US  Nuclear  Regulatory  Commission, 
Washington,  D.C. 

Salmeron,  J.,  K.  Wood,  R.  Baldick.  2004a.  Optimizing  electric  grid 
under  asymmetric  threat  (II).  Technical  Report  NPS-OR-04-001, 
Naval  Postgraduate  School,  Monterey,  CA. 

Salmeron,  J.,  K.  Wood,  R.  Baldick.  2004b.  Analysis  of  electric  grid 
security  under  terrorist  threat.  IEEE  Trans,  on  Power  Systems  19 
905-912. 

Skroch,  E.  2005.  Interdicting  a  nuclear  weapons  project.  Master's 
thesis.  Operations  Research  Department,  Naval  Postgraduate 
School,  Monterey,  CA. 

von  Stackelberg,  H.  1952.  The  Theory  of  the  Market  Economy  (trans¬ 
lated  from  German).  William  Hodge  &  Co.,  London,  UK. 

Wein,  L.  M.,  Y.  Liu.  2005.  Analyzing  a  bioterror  attack  on  the  food 
supply:  The  case  of  botulinum  toxin  in  milk.  Proc.  National 
Acad.  Sci.  102(28)  9984-9989. 

Wood,  A.,  B.  Wollenberg.  1996.  Poiver  Generation,  Operation,  and  Con¬ 
trol,  2nd  ed.  John  Wiley  and  Sons,  New  York. 

Wood,  K.  1993.  Deterministic  network  interdiction.  Math.  Comput. 
Model.  17  1-18. 


